Cybersecurity Vulnerabilities

Openatlas Logo Leak: CVE-2025-60914 Exposes Sensitive Information

November 24, 2025 - By 

Overview

CVE-2025-60914 describes an incorrect access control vulnerability affecting Openatlas, a web-based application used by the Austrian Archaeological Institute and others. Specifically, versions prior to v8.12.0 are susceptible to unauthorized access of sensitive information via a crafted GET request sent to the /display_logo endpoint. This allows attackers to potentially retrieve the logo without proper authentication, which in some configurations could lead to the leakage of sensitive organizational information or internal identifiers.

Technical Details

The vulnerability lies in the inadequate access control mechanisms protecting the /display_logo endpoint. A malicious actor can craft a GET request directly to this endpoint, bypassing intended authentication checks. The response, depending on the Openatlas configuration, could reveal the organization’s logo and, potentially, embedded data such as internal identifiers, project names, or other sensitive information tied to the archaeological institute using the software. The root cause is a failure to properly validate user authorization before serving the logo image.

CVSS Analysis

Currently, the National Vulnerability Database (NVD) has not assigned a CVSS score for CVE-2025-60914. Given the potential for information disclosure, a future CVSS score is likely. The severity would depend on the sensitivity of the information potentially revealed by accessing the logo. If the logo is innocuous, the severity might be low. However, if the logo contains embedded sensitive data (organizational identifiers, server names, etc.), the severity could be medium.

Possible Impact

Successful exploitation of CVE-2025-60914 could lead to:

  • Information Disclosure: Leaking sensitive information embedded within or associated with the logo.
  • Reconnaissance: Providing attackers with valuable information for further attacks against the Openatlas instance or the organization.
  • Reputational Damage: If the revealed information is considered confidential, it could damage the reputation of the Austrian Archaeological Institute or other organizations using Openatlas.

Mitigation and Patch Steps

The primary mitigation is to upgrade Openatlas to version 8.12.0 or later. This version includes a fix for the incorrect access control vulnerability. If upgrading is not immediately possible, consider the following temporary workarounds:

  • Web Application Firewall (WAF) Rule: Implement a WAF rule to restrict access to the /display_logo endpoint based on authentication status.
  • Access Control List (ACL): Configure your web server to require authentication for accessing the /display_logo endpoint.
  • Review Logo Content: Ensure that the logo displayed by Openatlas does not contain any sensitive or confidential information.

References

sec4you-pentest.com: Openatlas Unauthorized Access – /display_logo
sec4you-pentest.com: Schwachstellen

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *